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Abstract — Key management in wireless sensor networks faces several new challenges. The scale, resource limitations, and new threats 
such as node capture necessitate the use of an on-line key generation by the nodes themselves. However, the cost of such schemes is 
high since their secrecy is based on computational complexity Recently, several research contributions justified that the wireless channel 
itself can be used to generate information-theoretic secure keys. By exchanging sampling messages during movement, a bit string can be 
derived that is only known to the involved entities. Yet, movement is not the only possibility to generate randomness. The channel response 
is also strongly dependent on the frequency of the transmitted signal. In our work, we introduce a protocol for key generation based on the 
frequency-selectivity of channel fading. The practical advantage of this approach is that we do not require node movement. Thus, the frequent 
case of a sensor network with static motes is supported. Furthermore, the error correction property of the protocol mitigates the effects of 
measurement errors and other temporal effects, giving rise to an agreement rate of over 97%. We show the applicability of our protocol by 
implementing it on MICAz motes, and evaluate its robustness and secrecy through experiments and analysis. 

Index Terms — Security and protection, wireless communication, secret key generation, performance evaluation 
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1 Introduction 

SECURING wireless sensor networks (WSNs) has been 
one of the main wireless network research areas in re- 
cent years. Especially key generation and key management, 
which are at the heart of any security design, pose new 
thallenges because of the low computational capabilities 
of wireless motes, their limited battery lifetime, and the 
broadcast nature of wireless communication. Given these 
peculiarities, a large number of key management protocols 
for WSNs has been proposed, often fine-tuned between 
different performance vs. security trade-offs and adapted 
for specific WSN scenarios and their applications (for a 
general overview see, e.g., f6l, fSTl). However, most of these 
protocols follow a conventional cryptographic approach, 
where the secret is based either on pre-distributed keys 
or public-key schemes assuming more performance capa- 
ble devices that are able to generate and distribute the 
keys. Although there have been efforts to adapt public 
key cryptographic protocols to the world of WSNs (e.g., 
TinyECC [14J), these adaptations usually have a significant 
complexity and memory footprint as well as a high energy 
consumption (for energy analysis of public key schemes. 
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see, e.g., [27J). As an example, TinyECC (with optimiza- 
tions) requires roughly 20 kB of ROM and 1.7 kB of RAM 
[14], which is 15.6% and 42.5% of the overall available 
memory resources of MICAz sensor motes, respectively, 
and single operations require computation time in the 
order of seconds. 

Recently, there have been research contributions that 
follow an alternative path towards key generation using an 
information-theoretic approach to derive secrets from unau- 
thenticated broadcast channels. Informally, the general idea 
is similar to the quantum world, in which the laws of quan- 
tum mechanics ensure that two spatially separated particles 
experience highly correlated quantum states (called "quan- 
tum entanglement"). Measuring the quantum properties of 
one particle discloses the knowledge of another. However, 
in contrast to the mystical quantum nature, contributions 
on key generation using wireless channel are concerned 
with conventional physical signal propagation and, to some 
extent, its reciprocal behavior. Specifically, recent results 
described by Mathur et al. IITSi and Azimi-Sadjadi et al. Q 
justify that the unpredictable multipath propagation and 
the resulting fading behavior of wireless channel can be 
used to extract shared secret material. Simply by exchang- 
ing messages that serve to sample the signal propaga- 
tion behavior, both transmitters can establish mutual se- 



cret information, while an eavesdropper who also receives 
these messages still remains completely ignorant of their 
channel measurements. Since the secrecy of the extracted 
information is not based on computational complexity as 
common to conventional public key cryptography, these 
protocols are especially valuable to computationally limited 
wireless devices. Yet, existing solutions require that the 
wireless devices move at certain speeds to produce enough 
unpredictability in their signals. Thus, the most prevalent 
applications of WSNs which are based on static wireless 
motes make these protocols inapplicable. This brings us 
to the contribution of this work, which abstains from this 
limitation and provides a novel key generation protocol for 
static WSNs. The main contributions of this paper are: 

• Design of a robust key generation protocol with an 
error-correcting property against channel deviations 
(-> Section m. 

• Implementation of the protocol on static MICAz sensor 
motes and analysis of the protocol's robustness and 
the secrecy of derived keys, especially with respect to 
dependencies between wireless channels (— > Section|5ll. 

• Derivation of a stochastic model describing the secrecy 
of the protocol, its validation using experimental data, 
and guidelines on increasing the number of generated 
secret bits (— > Section (Sjl. 

In summary, we demonstrate the applicability of a key 
generation protocol that takes advantage of the wireless 
channel behavior in static wireless networks and analyze 
different trade-offs between it's robustness to channel de- 
viations and available secrecy. 

2 Related Work 

The use of physical properties was first considered in the 
context of quantum cryptography. The laws of quantum 
mechanics ensure that the same quantum states are ob- 
served by two spatially separated parties. Several proto- 
cols have been proposed that exploit this property and 
can guarantee the detection of eavesdroppers [4J, [7J. The 
concept was generalized in the framework of information 
theory by Maurer |T6]. Here, random sources observable by 
three parties are considered: a source provides two strongly 
correlated variables to two legitimate participants, and a 
weaker correlated variable to an eavesdropper. This work 
shows that information-theoretically secure keys can be 
derived from such sources even when an adversary has 
partial access to the source of information. The theoretical 
concept was instantiated for the use of wireless channels 
by the same research group flSl , flTll . 

Several research contributions apply this concept to 
narrow-band communication systems to generate secret 
keys from a wireless channel. Mathur et al. IITSi use the 
randomness of the received signal strength, which is intro- 
duced by movement, as a source for correlated information. 



the so-called "radio-telepathy". By frequent sampling of 
the wireless channel both parties can create a sequence 
of channel states that are strongly correlated because of 
the principle of reciprocity. The fading behavior on a 
single sampling frequency is strongly dependent on the 
physical position, and movement introduces uncertainty 
for an adversary that is captured in these sequences. The 
degree of reciprocity decreases rapidly in space, such that 
eavesdropping on sampling messages does not allow to 
infer the channel state between the legitimate nodes. The 
authors employ a level-crossing algorithm that uses two 
thresholds for signal strength values to generate bit strings. 
For information reconciliation, both parties detect mutual 
excursions by exchanging suitable candidate regions in the 
sequence, thereby increasing the chance to produce shared 
secret bits. The longer the required excursions are, the more 
robust the scheme is against measurement errors. Yet, in 
contrast to our work, their solution requires movement as 
a generator of randomness and thus it is not applicable 
to static networks. Additionally, the protocol introduced 
in 1 15 1 requires more powerful devices such as laptops 
or software-defined radios, as a high sampling rate is 
necessary and a complex reconciliation mechanism is used 
to avoid errors. 

Azimi-Sadjadi et al. |2l propose a similar protocol that 
focuses mainly on the robustness of the key generation 
process, i.e., tolerance against deviations in the wireless 
channel and a high success rate. They employ a single 
threshold for detection of strong deep fades introduced by 
movement, an event that is reliably detectable, but also 
rare (in the order of Hz), again depending on the speed 
of movement. Every sample is turned into an output bit 
of the protocol, which leads to long sequences of "l"s, 
representing the absence of deep fades, interrupted by 
shorter sequences of "0"s. The resulting bit string is not 
directly usable as keying material, as the uncertainty for 
an attacker is located in the position of the deep fades in 
the string. Thus, not all bits are equally unpredictable, and 
the authors consider the use of randomness extractors to 
produce uniformly random strings. No quantitative evalu- 
ation of secrecy is given, but considering the use of deep 
fades only and the nature of randomness extractors, we 
estimate that the use of this protocol results in a lower 
secret bit rate than the approach in [15J. Further results on 
such key extraction protocols, especially with respect to the 
effectiveness in realistic scenarios, are given in (TT). 

Several other contributions use highly specialized hard- 
ware, such as steerable antennas, ultra-wideband (UWB) 
radio or multi-antenna systems with performance-capable 
processors [IJ, |30|, |33|. In contrast, this paper focuses 
on the capabilities of conventional "off-the-shelf" sensor 
motes, without the need for additional equipment. 

In summary, it can be stated that current solutions 
provide valuable insights into the feasibility of key gen- 



pa ■ 
So 

CD 

X ■ 






Pil 



I 



11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

Wireless channels 
(a) Alice's view when Bob transmits 



6§ 
na ■ 
T3. ,„ 



^ = 



be 

-a ' 

01 o 

> <? 

CI) CD 
Pi ' 



11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

Wireless channels 
(b) Bob's view when Alice transmits 



pa 

T3 



0) 



p-pp=nnn,|n 



Dc 



□DD 



11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

Wireless channels 
(c) Deviations between views 



Fig. 1: The reciprocity of the wireless channel state is strong enough to enable the extraction of shared secret information. 



eration using physical properties, but several important 
issues still remain open. Especially the hardware platform 
that benefits most from key generation schemes, wireless 
sensor networks, is still unsupported. As current protocols 
require movement and complex reconciliation to guarantee 
successful key generation, the most prevalent static scenarios 
are not considered. Our work closes this gap with a protocol 
that can be used even on the most resource-constrained 
hardware and is specially designed for static environments. 
Our initial results are presented in (28ll and ||29i . This 
work extends our previous results and finalizes them. It 
offers extensive experimental analysis using IEEE 802.15.4 
technology, an in-depth evaluation of secrecy, especially 
with respect to dependencies between wireless channels, 
and a stochastic model that captures the behavior of the 
proposed protocol and provides predictions on the different 
trade-offs between security and robustness. 

3 Concept 

In this section, we introduce the concept of key generation 
using the frequency-selectivity of wireless channels. As we 
base the secrecy of our protocol on our ability to extract 
secrets at two different locations, we require two things 
from the wireless channel: strongly correlated information 
between the two parties and high uncertainty about the 
generated keying material for adversaries. 

3.1 Robustness Considerations 

The principle of channel reciprocity states that two receivers 
experience the same properties of the wireless channel if 
their role as sender and receiver is exchanged, given that 
the time interval is shorter than the coherence time tc of 
the channel. As we mainly consider static scenarios, the 
reciprocity between nodes is strong, even if the sampling 
rate is small owning to the limited capabilities of the con- 
sidered hardware. Measurements show that we are able to 



distinguish signal strengths even when using fine-grained 
levels. As an example of this behavior. Fig. [T] presents 
such measurements from a single constellation of sender 
and receiver. On each channel, 16 sampling messages are 
exchanged to generate robust results. The experiments ex- 
hibit bounded deviations, the RSS indicator reported by the 
hardware is able to capture the channel state accurately 
enough to enable successful key generations. 

Imperfect reciprocity directly influences the robustness of 
the proposed key generation protocol, as deviations in the 
view on the channel lead to disagreement in the produced 
bit strings. A second factor is measurement errors caused 
by noise, both in the measurement circuits and the wireless 
channel. All of these deviations must be corrected to suc- 
cessfully generate secret keys. Our experimental analysis 
presented in Section |5^ will show that these deviations are 
sufficiently small for different indoor scenarios, and secrets 
can be generated reliably even on stock sensor motes. 

3.2 Security Considerations 

The unpredictability of the channel state is the most im- 
portant aspect when considering the wireless channel as 
a source of randomness, as it directly affects the available 
secrecy. In the related work fl5|, |2|, the spatial selectivity of 
the wireless channel due to movement is used to generate 
secret bits. In this work, we show that the frequency- 
selectivity of multipath fading is a viable alternative to 
generate secret information using the wireless channel, 
without requiring node movement. 

In general, wireless signals are not traveling on a single 
path from a sender to a receiver, but arrive from several 
directions at the receiver, i.e., the signal exhibits multipath 
propagation characteristics. Each path is affected by differ- 
ent attenuations and phase shifts, and the resulting signal 
at the receiver is a combination of all signal paths by wave 
interference, resulting in a channel response depending 
on many variables. A small variation in phase, e.g., by 
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Fig. 2: Taking advantage of spatial and frequency selectiv- 
ity of multipath fading experienced in wireless channels. 
Even if Eve takes positions on a circle with 10 cm radius 
around the position of the legitimate transmitter (Bob), the 
measured signalprints are significantly different from Bob's 
measurements. 



using a different carrier frequency, leads to unpredictable 
changes in the signal strength, even when signal paths 
are unchanged. This behavior is captured by the impulse 
response of the wireless channel, consisting of a number of 
time-shifted Dirac pulses 8, and considering L signal paths 



h(T)=^a,e^'^',5(T-rO. 



1=1 



with different values of each path for the amplitude a;, 
phase shift (t>i and delay r/, acting as random variables. 
Because of phase shifts, interference effects can lead to sig- 
nal cancellation or amplification, depending on the relative 
phase shifts. 

To show the magnitude of these effects, we conducted an 
experiment to evaluate the selectivity of the channel both 



with respect to position and carrier frequency. Fig. |2] shows 
the uncertainty of an adversary even if he is positioned 
very close Bob. Each barplot represents the received signal 
strength measurements on 16 channels in the 2.4 GHz range 
available on the MlCAz platform. The sensor mote acting 
as Alice was placed in a fixed position on a desk. Bob was 
placed in an adjacent room, such that both were separated 
by a wall, and the channel response was sampled from 12 
positions on a 10 cm radius around Bob's initial position. 
The results show that the multipath effects are strong, and 
even if an attacker has knowledge of the environment and 
the positions of Alice and Bob; the channel behavior is 
unpredictable. Even ray-tracing approaches are unable to 
capture this behavior precisely, as a highly accurate model 
of the environment capturing minimal phase shifts would 
be required. Extensive results on the amount of uncertainty 
for an adversary obtained in our experiments are given in 
Section [ 



3.3 System Model 

We are interested in the amount of uncertainty that an adver- 
sary experiences. Information theory introduces the notion 
of (Shannon) entropy to quantify the average amount of 
information of a discrete random variable, making it suit- 
able for capturing the amount of uncertainty an attacker 
experiences. In this section, we derive a stochastic model 
of the system enabling us to evaluate the secrecy of the 
proposed protocol based on signal strength distributions of 
real-world measurements. 

3.3. 1 Secrets from the Wireless Channel 

The state of the wireless channel for a specified frequency 
at a certain point in time is captured by the discrete random 
variable C, that is, we assume that only finite precision can 
be achieved in channel state acquisition. Possible sources 
for this variable are, for example, the complex impulse 
response of the channel, or as in our case, the received 
signal strength. The outcome of C is stable during channel 
coherence time, which depends on the speed of movement. 
In static scenarios on which we focus this time is very long, 
enabling us to take several samples and use mean values 
as outcomes of C. 

Both Alice and Bob have access to the wireless channel 
and can exchange sampling messages. Each can monitor 
one of the random variables 
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with Cx being the measured channel state at the respective 
position and N^ being random variables representing the 
noise processes that introduce errors in the channel state 
estimations. With the help of channel reciprocity we can 
assume that Caucc — Ceob = C, i.e., both parties experience 



the same channel properties in their exchanged sampling 
messages. The mutual information that the channel pro- 
vides is described by 

I (-'^Alicc, -^^Bob) = H (XaUco) — H (^Aliccl-'^Bob) < H (C) . 

The conditional entropy H (XAiiccl^Bob) is zero if the chan- 
nel is noiseless, and then the amount of shared information 
which Alice and Bob gain from monitoring the wireless 
channel is quantified by the entropy H (C) of the channel 
state variable, given by 

H(C)--^p(c)logp(c), 

cec 

where p (c) denotes the probability mass function of C and 
C its support. This also represents the maximum attainable 
mutual information from the wireless channel, because the 
noise term N = Naucc — ^Bob that captures deviations 
in the measurements has a negative effect on the mutual 
information |17|. We propose a reconciliation mechanism 
to correct the errors introduced at this point, which is 
presented in the next section. An experimental evaluation 
of the magnitude of measurement errors and the effects 
on secrecy is given in Section |5l as we aim to quantify 
the amount of secrecy using the propagation properties of 
realistic wireless channels. 

An eavesdropper who can also monitor the sampling 
message to infer the channel state C between Alice and 
Bob measures Xevo = Cevc + ^Evo- As C and Cevc de- 
correlate rapidly in space, as shown empirically by Mathur 
et al. in |15|, the mutual information I(XAiice,-'fEvc) and 
I (XBob, -'^Evc) are approaching zero if the distance is greater 
than a wavelength, thus eavesdropping on the sampling 
messages does not help Eve to infer information on C. The 
entropy H (C) stands against Eve, it quantifies the amount 
of uncertainty in the channel state for Eve accurately. 

However, the information on a single channel is limited, 
and a way must be identified to increase the amount of 
shared information between Alice and Bob. Two possibil- 
ities of increasing entropy can be considered: (i) create a 
random process C (t) by moving the devices (reducing the 
channel coherence time), or (ii) probe multiple channels 
to exploit the frequency-selectivity of the wireless channel. 
The first approach is followed in {T5\, [1\, which is effective 
and easy to analyze for its secrecy but, as pointed out, poses 
several problems for an adoption in WSNs. To support static 
networks, we propose and evaluate the second approach in 
this work. 

3.3.2 Multiple Channels 

We now consider the random vector C = (Ci,...,C„), 
measured on n different frequencies (channels). In this 



measures the corresponding vector Xsob/ which both can 
be used to obtain the mutual information 

I (XAlicc, Xsob) = H (XaUcc) — H (XAlicc|XBob) < H (C) , 

assuming reciprocity on all channels and H (C) being the 
joint entropy over all channels, given by 
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If the elements in the random vector are independent, 
then the amount of uncertainty can directly be evaluated 
using the entropy values from individual channels, H (C) = 
X]r=i H i^i)- This value represents an upper bound on the 
joint entropy, as known dependencies between the variables 
enable predictions and reduce the overall uncertainty of 
Eve. Wireless channels experience correlated fading if the 
distance between the center frequencies is smaller than the 
coherence bandwidth. This is the case for our hardware 
platform, MlCAz sensor motes. If it were not the case, the 
secrecy analysis would be fairly easy. Yet, in Section |5] we 
will not make that simplifying assumption. Therefore, we 
analyze the dependency structure to evaluate the amount 
of uncertainty, i.e., the secrecy of keys generated by the 
presented protocol. We do this with respect to the following 
adversarial model. 

3.3.3 Adversarial Model 

One important aspect for the quantification of secrecy of 
such a scheme is to define the abilities of an adversary, 
in the same way as it is necessary when evaluating cryp- 
tographic security protocols. For instance, computation- 
ally unbounded attackers can break Diffie-Hellman key 
agreements with ease because they can solve any problem 
that relies on computational complexity. Similarly, an at- 
tacker who can take exactly the same physical positions as 
legitimate sensor nodes can break our key generation proto- 
col. Yet, with realistic constraints on an attacker, the security 
of the protocol can be analyzed quantitatively. 

An adversary has several options to attack the secrecy of 
the key generation protocol. It can eavesdrop on the wire- 
less channel and observe both the content of the messages 
and the signal strengths that it can experience at its position. 
As the content of the messages carries no information and 
the signal strength de-correlates rapidly in space, this gives 
it very little information on the channel state between 
Alice and Bob. Thus, eavesdropping is not an effective 
option. With its presence, it can only prevent Alice and 
Bob from exchanging secret information in plaintext over 
the wireless channel. 

The best attack vector is to model the multipath channel 
between Alice and Bob, taking into consideration the hard- 
ware and environment, and then infer the signal strength 
values. Knowledge to aid an attacker in this modeling can 
come from plans of the building for indoor scenarios or 



from observations of the environment, from the positions 
of Alice and Bob by observation of the sensor motes, or 
via positioning methods using wireless signals, such as 
triangulation. While the effects of path loss and shadowing 
on the line-of-sight (LOS) connection between the two 
nodes are predictable (e.g., using ray-tracing methods [9J), 
the resolution of the multipath components is very chal- 
lenging. To refine its model, an adversary is allowed to 
do measurements with similar hardware off-site. The only 
assumption here is that the attacker cannot measure at 
the very same positions of the legitimate sensors during 
operation, because this is equivalent to a node capture 
which discloses the key directly. 

Given this information, we can model the knowledge of 
an adversary by limiting possible signal strengths to the 
distribution of signal strengths of similar positions. This 
can be achieved by using the distribution of signal strength 
values from channel propagation models, that is, he can 
generate accurate distributions for Ci between Alice and 
Bob. This allows quantifying the amount of uncertainty 
that the attacker experiences; we can quantify its expected 
uncertainty with the entropy H (C) of the signal strength 
distributions of the wireless channel. 



4 Protocol Design 

In this section, we present our novel key generation pro- 
tocol suitable even for limited hardware capabilities by 
using a performance-aware design, specifically with WSNs 
in mind. 

hi the following, we conduct measurements by sam- 
pling RSS values on a set of n different frequencies J^ = 
{/i,...,/„} (also referred to as channels). The number of 
samples taken is k, i.e., for each channel fi we collect a 



set of measurements m^ = im^ , . . . ,m- >. To increase 
the error tolerance of our scheme, we calculate the mean 



constitutes a metric space, a necessary prerequisite for the 
discussion of our error correction scheme. 

4.1 Multi-level Quantization 

To successfully repair deviations in channel state measure- 
ments between Alice and Bob, we use multi-level quanti- 
zation to make close measurements equal. In general, our 
quantization scheme Q uses a subset of the metric space M, 
Q — {qi,. . . ^qx} Q M, with a total of K elements, 
the quantization levels. The most important property of the 
quantization scheme is the tolerance t of the quantization Q. 
This is the largest distance for which an to g A^ is 
mapped uniquely, i.e., for all jii e M., we have dis (/i^, q) < t 
for at most one q E Q. Therefore, all values /i^ , /i^ are 
mapped to q given their distance to q is small enough. 

4.1.1 Construction 

We choose K elements of A^ with the same distance d 
between quantization levels, where p = [log2 K~\ is the 
number of bits that are needed to identify a level. This 
equidistance ensures that the tolerance t is the same for 
all values in A4. We denote this quantization as Qt = 
{qi, . . . , qii}, the bijective mapping to the binary represen- 
tation as bin : Qt -^ {0, 1}^, which maps quantized values 
to binary strings. Since /imin and /imax are both fixed values, 
the distance d between neighboring quantization levels is 
reduced as the number of levels increases. The relation is 
given by d = Pmax-pmini ^ -pj^g tolerance of this scheme is 
given by t = |, since all levels are evenly spaced. The 
number of levels therefore directly affects the tolerance 
of the quantization scheme, therefore, when fewer levels 
are considered, larger deviations can be repaired. The pro- 
cess of quantization maps the value /i to the levels q with 
a minimal distance in M, formally 

q, (/i) = arg min dis (/z, q) . 
qeQt 



value M* = i ELi ^A of these RSS samples. We view this For example, consider the quantization scheme 



mean value as the random variable Ci, which is distributed 
depending on the characteristics of wireless propagation, 
e.g., following the commonly assumed Rayleigh or Ricean 
distributions. The means of all n channels are combined 
to the random vector C = (Ci,...,C„). A realization, 
the outcome of our measurements is /i = {fii, . . . , fin), 
with Hi e M = [Aimin,Mmax], the range of signal strength 
values that can be measured by the hardware platform. We 
assume that only a finite precision in the measurements 
can be achieved. As an example, in our wireless sensor 
network testbeds we used M = [-104, -40] dBm, with a 
precision depending on the number of samples taken, since 
each RSS sample is integer valued. We associate Ai with 
the distance function dis : A^ x A^ — > R+ defined as 
dis {iii,fi[) := \fj,i — ii[\, which is the difference in dB in 
our case. Thus, M together with this distance function 



Qi = {-104, -102,..., -42, -40} 

with 32 levels and tolerance t = 1 for our metric space A4. 
For this, the measured value /i = -71.424 dBm is quantized 
to the level q = -72. This ensures that values with distances 
smaller than 1 dB are mapped to equal levels. 

4. 1.2 Tolerance Properties of the Quantization Scheme 
The amount of uncertainty is reduced in this process as 
several values are mapped to the same quantization level, 
but at the same time the tolerance for deviations is in- 
creased. Thus, we can trade between robustness and secrecy 
by choosing a Qt with a suitable tolerance i G R that is able 
to correct errors in measurements given dis (^, ^') < t. 

Still, some constellations are possible, such that /i and /x' 
are mapped to two different levels (e.g., given Qi, /z = 



Samplinj 


5 Phase Alice Bob 












switchChannel() 


^ 




1 ^ 






'' 








1 r 


- 


m/ = RSS(sa?npZe) 


sampleChannel() 


m'l'^ = RSS{sample) 






1 II 


sampleChannel() 




1 "^ 


■^ 


M. = iEL-« 




, _ 1 v-fe /(i) \ 
t^i — k 2^] = 1 ^i 




Ke 


Y Generation Phase ^ 




m' 







(T,P) 






j ti = chooseTolerance (nii, errors) 

r 


t, = get Tolerance (T) 

Pj = getReconcileToken (P) 


,^ 1 


1 P==(Fi,...,P„) T = (ii,...,i„) 




. " 1 


1 

1 secret = hva{qi) ■ ■ ■ bin(g„) 


secret' = bin(gi) • • • bin(g^) 




Ke 

1 


Y Verification Phase secret 




secret' 


h (secret^ == h ( secret')? 


h(secret') 


1 




False: Choose new tolerances ti 
True: Key verified. 


successO 




1 


1 

















Fig. 3: Key generation protocol. The protocol operates in three phases; (i) the acquisition of channel state estimates, (ii) 
error correction using multi-level quantization and (in) secret verification. The channel state estimates can be reused if 
the chosen tolerance values are too small for the experienced deviations. 



-70.9 dBm and ^' = -71.1 dBm are mapped to -70 and -72, 
respectively). To correct these error patterns, we need to 
send a public piece of information P that helps Bob to rec- 
oncile his measurement and recover the same quantization 
results as Alice. Of course, at the same time P should reveal 
no new information to Eve. 

Our construction is straightforward: Alice calculates P = 
q^ (/i) — /i, the shift that is necessary from fi to the corre- 
sponding quantization value 9 = q^ (/i), and uses q as her 
secret information. This shift is always smaller than or equal 
to t, and therefore reveals only information that is discarded 
by Alice and Bob anjrway due to the quantization property. 
Alice then sends P via public channel to Bob, who uses P 
to generate the same level q using his measurement ^' by 
calculating q = q^ (/i' + P)- 

Claim 1: By using this reconciliation scheme, both Alice 
and Bob obtain q, given dis (^, ^') < t. 

Proof: Considering dis (/i, ^') < t, then the distance 
between the mean values is unchanged when both sides 
are shifted by P, i.e., dis (^ + P, ^' + P) < t. From the 
construction of P, we can infer that 9 = q^ (/i) = fJ, + P, and 
thus dis {q, fi' + P) < t. Finally, as the quantization distance 
of the used scheme is t, n' + P is uniquely mapped to q by 
Bob as well, q^ (^' + P) = q. D 

4.2 Key Generation Protocol 

The proposed key generation protocol operates in three 
phases. In the sampling phase, the channel state is acquired, 
and due to the reciprocity of the wireless channel state in- 



formation strongly correlated measurements are collected 
by the two legitimate parties in the protocol. In the key 
generation phase, these deviations are corrected, resulting in 
a secret bit string that is guaranteed to be equal if the expe- 
rienced deviations are bounded and suitable quantization 
levels are chosen. The key verification phase ensures correct 
key agreement. The complete protocol is shown in Fig. |3| 
We used a straightforward protocol for the ease of presenta- 
tion of the protocol analysis, but we also experimented with 
several protocol optimizations that can further increase the 
robustness and secrecy of the protocol, as presented in 
Section lO 



4.2. 1 Sampling Phase 

In this initial phase, Alice and Bob exchange sampling 
messages over the set of available wireless channels. For 
each of the n frequencies in T, Alice and Bob exchange 
k messages and each one stores a set of measured RSS 
values m-i or rn'^, respectively. Alice initiates the message 
exchanges. Bob answers incoming sampling messages as 
fast as possible for a maximum of channel reciprocity. Due 
to constraints of the mote hardware, the samples must 
be collected in an interleaved manner, such that the state 
of the wireless channel can change slightly, contributing 
to the noise terms iVAUco and A^sob- However, by using 
several sampling messages per channel, the adverse effects 
of such short term deviations can be mitigated. The mean 
values fM — ^ X],=i "^i are then computed by Alice, while 
Bob proceeds similarly with /i'^. Thus, after finishing the 



sampling phase, both Alice and Bob possess the vectors of 
channel state information jjb and jjI that capture the fading 
behavior of the wireless channel. 



4.2.2 Key Generation Phase 

The gathered mean value vectors /x and jj! contain secret 
information that can be used as secret keys, but after the 
sampling phase these vectors are unlikely to agree. The 
key generation phase uses information reconciliation based 
on the introduced error correction scheme to produce a 
bit string that is equal on both sides, without discarding 
shared bits or revealing information to eavesdroppers. Alice 
chooses a set of tolerance values T = (ii,...,t„) based 
on the variance of its RSS values rrii and the number 
of experienced verification errors from potential previous 
runs. We used the same starting tolerance value <i = 1 for all 
channels in our experiments and analysis, which achieves 
a high rate of successful key agreements as well as good 
secrecy, as shown experimentally with our implementation. 
However, the choice of tolerance values strongly influ- 
ences the robustness and secrecy trade-off, and considering 
optimization at this point is useful (see a corresponding 
discussion in Section |43)| . 

Alice uses the tolerance values to instantiate the appro- 
priate quantization functions q^ and applies them on her 
mean values Hi to generate the values qi for each channel. 
She also generates the vector of public reconciliation strings 
P = (Pi, . . . , P„) by calculating Pi = qi — jii to aid Bob in 
his error correction and to ensure matching secrets. He can 
then generate his quantization level vector by calculating 
q[ = q^ [^[ + Pi)- Both parties now have sufficient informa- 
tion to generate their candidate secrets secret and secret' 
by concatenating the resulting binary strings. 

4.2.3 Key Verification Phase 

Finally, both parties proceed to verify if the secret keys are 
generated successfully, i.e., if a mutual secret is established. 
After Bob has finished his computations, he sends the hash 
value h {secret') of his secret string to Alice. Alice ensures 
successful key generation by comparing Bob's value to 
her secret string. If the hash values do not match, Alice 
can retry the key generation by increasing the error count 
and choosing new tolerance values in the key generation 
phase; redoing the sampling of the wireless channel is not 
necessary. The approach used in our implementation uses 
a tolerance increase of 0.5 dB on each channel. However, 
our implementation on MICAz sensor motes presented in 
the next section shows that with a tolerance t = 1, key 
agreement was reached in 94.6% of the cases on the first 
try. 

After finishing this step, both Alice and Bob share a secret 
key that can be used to support security services. 



4.3 Protocol Optimizations 

We experimented with some optimizations to increase the 
robustness and secrecy of our protocol, and discuss some 
options in this section. The later sections, however, base 
their analysis on the protocol described in the previous 
section. 

The function chooseTolerance can be improved further 
when the tolerance values ti are chosen independently for 
each channel. Our experiments show that only one or two 
channels have deviations larger than the used tolerance 
values, and therefore prevent a successful key generation. 
By choosing a higher tolerance value for single channels 
only, Alice can start several key verification phases until 
the mismatching channel is identified. 

Our experiments show that the deviations can be approx- 
imated well by a Normal distribution. This enables us to 
predict the success probability of a protocol run, that can 
be used by Alice to aggressively choose low tolerances in 
the beginning to increase the entropy of secret strings, e.g., 
by initially achieving only a 56 % chance of a successful key 
agreement with a tolerance value t = 0.4. 

5 llMPLEIMENTATION RESULTS 

After the definition of the key generation protocol, the next 
interesting aspect is how this protocol performs in real- 
world environments, and how large the achievable secrecy 
and robustness is given realistic propagation properties. 
With several experiments, these properties are explored in 
detail in this section. We also show that the concept is 
applicable on resource-constrained devices under realistic 
properties of the wireless channel. The first part is focused 
on the robustness and performance of the protocol, and in 
the second part the secrecy is quantified empirically using 
the notion of information entropy. These insights are also 
used as a basis and justification for the analytical model, 
developed in Section |6l 

5.1 WSN Testbed and lUlethodology 

The experiments were conducted over several days on 
a university floor, that is, an indoor setting across sev- 
eral rooms. During the measurements, several wireless 
LAN access points were concurrently operating in the 

2.4 GHz band; so, the experiments were performed in a real- 
world environment with unpredictable factors. The envi- 
ronment contains concrete walls, as well as office furniture 
made of different materials. Especially metal objects such as 
shelves and cabinets with good reflection properties regard- 
ing electromagnetic waves were present. Thus, this set of 
environment can be considered to generate a rich multipath 
effects, while it also represents a typical indoor scenario. 
An additional factor for this changing environment was the 
movement of people in corridors or office rooms. 
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(a) Distribution of errors for the LOS experiment (b) Distribution of errors for the non-LOS exper- (c) Success probability of key generation based 

iment on all positions. 

Fig. 4: Deviations in the channel and the resulting success rate of key generations in our experiments. 



Several different scenarios were considered to evaluate 
the impact of positioning on secrecy and robustness. A 
large meeting room was used for experiments, where the 
sensor motes always maintained a line of sight connection, 
and several smaller office rooms were used to quantify the 
impact of shadowing objects and walls. For each of these 
scenarios, 250 positions were considered, and the distance 
was kept constantly at 2.5 meters to avoid the influence 
of path loss effects. In long-term and dynamic scenarios, 
these rooms and the connecting corridors were used, and 
1000 additional positions were tested with mixed distances 
and obstacles. We used fc = 16 samples on each channel, 
collected on n = 16 channels. 

5.2 Protocol Robustness 

In order to evaluate the robustness of the protocol, a 
total of 1600 positions of the two parties was tested, and 
the measurements and deviations between the two parties 
recorded for each of the 16 channels. 

From the deviations A^ — A^amcc — ^Bob observed, we 
can see that they are bounded. The histogram of deviations 
is given in Fig. |4a] and 14b I which also shows that these 
deviations are fitted well by a zero-mean Normal distribu- 
tion with a standard deviation of cr = 0.461 dB in the LOS 
experiment and a = 0.503 dB in the non-LOS experiment. 
The empirical distributions have even lighter tails than the 
fitted Normal distributions. We can use this knowledge to 
evaluate the success probability as described in Section 14.31 
for protocol optimizations. Based on the experiments, we 
can conclude that the reciprocity of the wireless channel is 
very strong. 

The success ratio of the protocol can be directly controlled 
by the tolerance values of the code used, as codes with 
larger tolerance values are able to correct stronger devia- 
tions. With a tolerance of 1 dB, 94.6% of the key agreements 
are successful on the first run. This value is increased to 
99.2% with a tolerance of 2dB. The empirical cumulative 



distribution function (ECDF) of all experiments is shown in 
Fig. |4cl The majority of deviations are below 2 dB, and only 
a small number of extreme outliers were measured. As the 
chosen tolerance value also has an impact on the secrecy of 
the resulting bit string, a careful trade-off between secrecy 
and robustness must be found. 

5.3 Evaluation of the Channel Entropy 

We evaluated the frequency-selective channel fading effects 
in two different environmental settings: (i) connections with 
line of sight only; and (ii) connections with obstacles in 
the direct connection, that is, non-LOS connections. The 
LOS experiment was intended as the worst-case scenario 
because a strong LOS component may be able to dominate 
the multipath fading behavior. Yet, our experiments show 
that this is not the case, and both experiments yield roughly 
the same entropy. In all experiments, several different tol- 
erance values were considered to show the impact of this 
parameter on the secrecy. 

The secrecy analysis focuses on the distribution of sig- 
nal strength measurements, especially on the entropy that 
these distributions offer. The evaluation of the entropy for 
single channels is straightforward: we use the empirical 
distribution to calculate H(Ci) for each of the n channels 
individually, using the relative frequencies as the estimates 
of codeword probabilities. For example, this analysis shows 
that there are 3.5 secret bits available from each channel for 
a tolerance value of f = 1; a value of t = 0.5 results in an 
increase to 4.38 bit. 

The joint entropy under the assumption of independent 
channels is the sum of the channels' entropy values. How- 
ever, the independence cannot be assumed as the chan- 
nels are within the coherence bandwidth, and using the 
conventional approach to estimate the Shannon entropy 
of dependent channels using sampling is not effective, as 
this becomes prohibitive in spaces with larger dimensions. 
For example, to show a joint secrecy of 45 bit, at least 
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MSaKEEEECCCEMOMOOEEAAACAEOIECblMIIGEGKIKQSKIKKEAAOIEACECAKG 
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Fig. 5: A part of the T-string used for estimating the 
Shannon entropy of codewords generated by our key- 
generation protocol. This approach is based on encoding the 
codewords as ASCII strings and analyzing their minimal 
representation. 



2^^ samples must be collected. Additionally, the unknown 
dependency structure of the generated secret strings makes 
such quantification harder. The reason is that the Shan- 
non entropy operates on the knowledge of the underlying 
joint distribution, which is unknown in our case. While 
in the next section we derive a stochastic model for such 
analysis, we are still interested in finding out how much 
uncertainty is present in the experimental data without any 
assumptions on the underlying codeword distribution, i.e., 
without requiring any a priori knowledge. The idea we 
follow is based on construction complexity described by 
the notion of T-complexity li25J. T-complexity quantifies the 
difficulty to decompose input strings into codewords of T- 
codes, i.e., the complexity when trying to find the minimal 
representation of the input string. Speidel et al. |,23J show 
in their work that T-complexity is the fastest to converge 
to the true value of the Shannon entropy, and provide an 
algorithm that enables fast computations of entropy values. 
The tool tcalc Il32l , developed by the same group, was 
used to evaluate our results. As this tool operates on byte 
strings, we had to convert the lists of quantized values 
to arrays consisting of different ASCII characters as input. 
These characters were concatenated to form a large string 
that can be used as input to tcalc. A part of the T-string 
used is given in Fig. [S] 

As a result, using this method we were able to capture the 
dependencies between channels in the empirical data with- 
out explicitly knowing them. The results from this analysis 
are discussed in the next subsection and in Section [01 we 
use them for the validation of the derived stochastic model. 

5.3. 1 Results from Experimental Analysis 
A comparison of results showing the available entropy 
from the experimental data is shown in Fig. (6] With a 
tolerance value of t = 1, the entropy under independence 
assumption is 56 bit for both LOS and non-LOS connections. 
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Fig. 6: Results for the implementation on MICAz sensor 
motes. The amount of secrecy under different dependency 
assumptions is shown, with the corresponding success 
probabilities of key agreement. 



When considering the dependencies in the measurements, 
31 bit of entropy can be achieved with the limited number 
of channels and precision that the wireless sensor mote 
hardware offers. Lower tolerance values can be used to 
increase secrecy. For example, a tolerance value of 0.4, 
which results in a 56 % chance of successful key agreement, 
offers 45-50 secret bits under dependent channels. 

The entropy of generated shared secrets in this settings 
can be compared with conventional password-based se- 
curity schemes and applied to the protocols such as, for 
example, commitment-based authentication protocols using 
short authenticated (e.g., |26|, [19J, LISJ, [lOJ). Similarly, 
protocols such as the Encrypted Key-Exchange (EKE) apply 
short shared secrets for confidential exchange of public 
key material (e.g., [31, I.24J ). The shared secrets in such 
applications are usually created by the user and contain 
approximately 18 bit entropy due to dependency between 
characters (for a comprehensive overview of password 
entropy, see |2T|). Since these protocols protocols play an 
important role in wireless networks as a part of device- 
pairing schemes, generating secrets from the wireless chan- 
nel can be seen as their valuable extension and alternative 
to an user-required input of secrets. 

6 Increasing the Length of a Secret 

The experimental analysis shows that the dependencies 
between channels have considerable influence on the se- 
crecy of the proposed protocol. In contrast to previous 
section, we now develop a stochastic model that makes 
these dependencies explicit and enables us to analyze and 
predict ways to increase the achievable secrecy. Especially, 
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we want to answer questions such as: what is the impact of 
increasing the number of available channels, and increasing 
the spacing between center frequencies. To derive a realistic 
model of dependent wireless channels, we start with fitting 
and validating the distribution of single channel measure- 
ments and then extending it to a multivariate case, which 
captures the dependencies between wireless channels. The 
model is validated by comparing the resulting entropy 
values with our empirical results. 

6.1 Modeling Channel Dependency 

Frequently used distributions for large-scale models of 
wireless channels are Rayleigh, Ricean, or Log-Normal [ 20l 
depending on the properties of the respective propagation 
environment. Also, in scenarios common to WLANs and 
WSNs, where distances between transceivers are short, 
the empirical data can be approximated by the Normal 
distribution [22J, [12], {5]. To find an adequate distribution, 
we collected 4000 RSS sample means for each of the LOS 
and non-LOS scenarios, where every RSS mean was cal- 
culated over 16 measurements, estimating the distribution 
parameters using Maximum Likelihood Estimation (MLE). 
The resulting fit of the Rayleigh and Normal distributions 
to the empirical data is shown in Fig. [Ta] Additionally, 
we tested the normality of the sampled data using the 
probability plot correlation coefficient test for normality 
(FFCC), which is based on checking for linearity between 
the theoretical quantiles and the sample data [8|. In fact, the 
goodness of fit test confirms that the Normal distribution 
(correlation coefficient = 0.992) can be assumed with an 
even higher confidence than the corresponding Rayleigh 
distribution (correlation coefficient — 0.967). In this case, the 
multivariate Normal distribution can be used to describe 
the complex dependency structures of wireless channels by 
directly estimating the covariance matrix from the empirical 
data. 

Hence, to analyze the dependencies of the joint distribu- 
tion over all 16 wireless channels, especially with respect to 
the joint entropy, we model the signal strength values of dif- 
ferent channels using a single 16-dimensional multivariate 
Normal distribution. The distribution parameter estimation 
is straightforward: the vector of mean values /i, which is in 
case of the Normal distribution already the MLE for the 
population mean, and for the covariance matrix S we used 
the MLE method: 
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Finally, we validated the multivariate channel depen- 
dency model against our empirical data by using the same 
error correction mechanism (described in Section lU to 
generate secret strings and to compare the Shannon entropy 
of the empirical data with the results of the model. The 



Oh 
O 

(1) 

c 
o 
c 



^ 




0.5 



1.5 2 2.5 3 3.5 

Tolerance 



Fig. 8: Comparison of discrete entropy values based on RSS 
values generated using the stochastic model. 



results of this evaluation are given in Fig. [51 which shows 
the resulting entropy values for the non-LOS data apply- 
ing the same analysis methods used in the experimental 
analysis. The LOS experiment is omitted as the behavior 
is similar. The model captures the dependency structure 
well, resulting in a similar progression of the curve for the 
existing tolerance values, although the entropy is slightly 
overestimated by the model. 

Using this model, we can estimate the amount of en- 
tropy if additional resources are available, such as a higher 
number of channels or a larger spacing between channels. 
We only need to consider the properties of the covariance 
matrix S with respect to entropy. The differential entropy 
(in natural units) of the multivariate Normal distribution is 
given by 

i?nwAA = ^ln((27re)"deti;), (1) 

depending on the number of channels n and the determi- 
nant of E. The first-order effect of increasing the number 
of channels is easy to quantify, the differential entropy is 
increased by 2.05 bit for each additional channel. However, 
the relationship is not obvious with respect to the determi- 
nant. In the case of independence, only the main diagonal 
of the covariance matrix is populated, but in the general 
case the complete matrix has an influence that is hard to 
quantify. 

6.2 More Channels or Larger Frequency Spacing 

First, we consider the effects of the determinant on the 
security given a larger number of channels. To this end, we 
extrapolate the covariance matrix and evaluate the effect on 
the determinant. 
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(a) Fitting of different distributions to the em- 
pirical data. 
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Fig. 7: Test for different distributions of the empirical data. 



Two different prediction methods are used, one that 
extrapolates S directly and another that also simulates the 
effect of larger spacing between center frequencies and then 
extrapolates the matrix. 

We used (ixi) sub-matrices with i = 1,...,15 of the 
matrix S to predict the 16x16 matrix S. Only the val- 
ues contained in the sub-matrix are used, in the follow- 
ing manner: each diagonal is treated independently, as it 
represents a different lag in the covariances. The missing 
elements of the matrix are chosen uniformly from a range 
between minimum and maximum values on the respective 
diagonal. The results of this 16x16 prediction for the non- 
LOS experiment are shown in Fig. |9l A sample of 100 
extrapolated covariance matrices was used to predict the 
known amount of differential entropy for 16 channels, the 
used confidence level in the graph is 95%. The horizontal 
line represents a differential entropy using the correct S 
from the experiments. The predicted entropy values using 
different sub-matrix sizes are shown, obtained from mean 
values of different uniform extrapolations. Even with small 
2x2 prediction matrices, it is possible to estimate the en- 
tropy accurately. The evaluation for the LOS experiment is 
not shown, but gave similar results. Thus, we can use the 
estimation of S to predict the secrecy from a larger number 
of channels. 

The second matrix extrapolation method was used to 
evaluate the effects of a larger spacing between the chan- 
nels. Only every second (third, n-th) diagonal was used and 
the remaining ones were removed for this analysis. This 
simulates a channel spacing of 10 MHz (15 MHz, SriMHz). 
This smaller matrix is then extrapolated in the same fashion 
as described before. The quality of prediction is comparable 
to the previous results. 

Fig. [To] shows the increases of entropy we can observe 
from our model. The figure shows the results of the non- 
LOS experiment only, but the LOS experiment gave similar 
results. The results are given in differential entropy, which 
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Fig. 9: Prediction of the differential entropy using only a 
subset of available channels. Even with a small number of 
channels, an accurate prediction is possible. 



does not take the tolerances into account. The lowest line 
describes the increase in joint differential entropy if we use 
the same determinant we obtained from 16 channels. This 
results in an increase of 2.05 bit for each channel, but it 
is also a very conservative prediction, it overestimates the 
dependencies between channels with center frequencies far 
apart from each other. Using extrapolation based on the 
16x16 matrix and calculating the entropy using Eq. ([l) and 
the new S, we see an increase of 4.02 bit for each additional 
channel. The slashed line shows an additional gain if the 
channels are spaced 10 MHz apart, instead of the 5 MHz 
spacing in our experiments, yielding a 4.25 bit increase. 
Our model shows that there are several ways to increase 
the secrecy of the proposed protocol. With measurements 
of higher precision it is possible to generate more bits on 
each channel, but as this increases the hardware costs, it is 
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advisable to rather use a larger number of channels. 



o 

0) 



T3 S 

-M 

g 



p 

/ 

// 

/ o 

// 

' o 
/ o o 


>'■■■ 


o 


Fixed det (i:) 

Extrapolated dct (Z") 

10 MHz spacing 











40 



60 80 100 

Number of channels 



120 



Fig. 10: Extrapolation of covariance matrix Y, for a larger 
number of channels to evaluate of the model with respect 
to secrecy gains. 



already provide secrets up to 50 bit, depending on the 
wireless channel behavior. A stochastic model derived in 
this work validated our experimental data and provided 
guidelines on how to increase the length of the secret 
keys based on either increasing the number of wireless 
channels or increasing the channel spacing. For example, if 
the number of channels of the present IEEE 802.15.4 is set 
to 40, this protocol can generate up to 160 bit secret keys in 
static scenarios. 

The possibility to increase the length of a secret by using 
additional wireless channels or larger frequency spacing 
is an interesting alternative to computational-based ap- 
proaches not only from the security perspective but also 
from the network throughput perspective. For example, 
cognitive radio is focused on increasing the utilization 
of limited radio resources by dynamically adjusting the 
transmission to interference-free frequencies. The key gen- 
eration protocol introduced in this work can inherently take 
advantage of such technologies. 

Finally, this approach to key generation is intended to 
extend and support conventional security designs as it only 
needs a limited number of messages exchanges to generate 
shared secrets even on the currently available, off-the-shelf 
WSN devices. 



7 Conclusion 

Secret key generation and distribution poses one of the 
main security challenges in wireless networks, especially 
in computation-limited WSNs. In conventional security 
schemes, the wireless channel is usually considered as a 
part of an adversarial toolbox which additionally helps to 
launch different attacks by abusing its broadcast nature. Yet, 
in recent years a number of papers following an alternative 
approach to wireless security have demonstrated that the 
unpredictable and erratic nature of wireless communication 
can be used to enhance and augment conventional security 
designs. Taking advantage of physical properties of signal 
propagation, mutual secrets between wireless transmitters 
can be derived. While this approach for securing wireless 
networks has been recently addressed in IfTSl , l2ll , both 
contributions require movement as the main generator of 
secret material. Although valuable to mobile networks, 
such solutions are not applicable to the majority of WSN 
applications which are based on static sensor motes. 

The main focus of this work was to overcome this limi- 
tation. We started by introducing a system model based on 
real-world measurements using IEEE 802.15.4 technology, 
and describing building blocks of a novel key generation 
protocol. To demonstrate its applicability, the protocol was 
implemented and evaluated using MICAz sensor motes. 
Experiments show that the protocol is able to successfully 
generate keys in over 95% of the cases, irrespective of 
environmental properties. By using only a very limited 
number of wireless channels, the proposed protocol can 
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